I am attempting to use the CallbackRegistry library in order to create virtual registry keys (and subkeys) along with virtual values which will be backed not by the real registry, but an in-memory data structure.

I am wondering what the recommended way of doing this is. Right now I am handling the enumeration callback and the query callback for values and it is functional, aside from me setting values which are larger than the original buffer size and they request a cached information structure.

It's necessary to handle the enumeration and the query callbacks as you do, but additionally it's required to handle the PreCreate and PreOpen callbacks in the following way:
1. Create some hidden place in the registry and place there some "backend" keys.
2. In the PreCreate and PreOpen callbacks for keys being virtualized create or open a key from that hidden place and return the handle via the KeyHandle parameter of these callbacks. In the case the "backend" key is absolutely the same as the virtualized one it isn't required to do additional handling in other callbacks.

The "backend" key is required at least to return handle to the system. It can be one "universal" empty key and its handles you will return for all virtualized keys. But such way requires to handle all other callbacks to virtualize data for the keys being virtualized. So the easier way is to create a set of "backend" keys which maximally correspond to virtualized ones in order to minimize handling in the CallbackRegistry callbacks. The maximally simple processing in such way is implemented in the GenSample sample application (see there the "redirection" section).

Just an update. I am able to work around the BSOD by doing as GenSample does and setting the key handle to be one gotten from my "universal" key (pinvoke RegCreateKeyEx). After handling OnPreQueryKey and OnPreEnumerate key I am able to get a "virtual" key to show up along with values which do not exist in the actual registry.

My problem is now virtual subkeys / values of the existing virtual key. The callback for OnPreQueryKey gets called for the virtual key as a result of f5 in regedit with a class of KeyCachedInformation, which I fill in based on my data structure in memory to indicate number of subkeys, values etc. After that I do not see any additional callbacks referencing the key (either query or key level enumeration). I'm wondering if the KeyCachedInformation is being handled properly as it seems no matter what I put in there it doesn't change the outcome.

Thank you! I have been working with this more and it seems that handling KeyCachedInformation in OnPreQueryKey definitely causes issues. If I handle this for a not virtual key such as hklm:\Software without setting stopFiltering to true I see that regedit thinks there are no subkeys for it no matter what I put in the EcbRegKeyCachedInformation structure. I cannot set stopFiltering because I need to handle enumeration as well in order to create a merged view (add additional virtual subkeys). Depending on how the client does the enumeration (loop through until ERROR_NO_MORE_ITEMS, or specifically only loop through based on the result of the query) the virtual key may or may not be visible to the client. Regedit appears to take the first approach and so the virtual key appears, but powershell get-childitem takes the second and so it doesn't show there.

Thanks again for all of your help. This product saves a lot of headache of doing all of this in kernel mode.

More information. Any attempt to modify KeyCachedInformation in either the OnPre/PostQueryKey event results in the same corruption of data. I'm pretty much at a stand still at this point, but very close to achieving my requirements if this were functioning. Perhaps I will write a small client application in order to see what is returned to the client.

Here is the result from my very small .NET client application that just attempts to get the subkeys of hklm:\Software. It reports the same exception as powershell (not surprising). I suspect the callback on the driver side is returning an error whenever I fill in the KeyCachedInformation data.

Unhandled Exception: System.IO.IOException: A device attached to the system is n
ot functioning.

at Microsoft.Win32.RegistryKey.Win32Error(Int32 errorCode, String str)
at Microsoft.Win32.RegistryKey.InternalSubKeyCount()
at Microsoft.Win32.RegistryKey.InternalGetSubKeyNames()
at Microsoft.Win32.RegistryKey.GetSubKeyNames()
at QuickQuery.Program.Main(String[] args) in c:\Source\QuickQuery\QuickQuery\
Program.cs:line 16

We use cookies to help provide you with the best possible online experience. By using this site, you agree that we may store and access cookies on your device. You can find out more about and set your own preferences here.